Topics
Latest
AI
Amazon
Image Credits:Jakub Porzycki / NurPhoto / Getty Images
Apps
Biotech & Health
Climate
Image Credits:Jakub Porzycki / NurPhoto / Getty Images
Cloud Computing
Commerce
Crypto
go-ahead
EVs
Fintech
fund-raise
gismo
Gaming
Government & Policy
Hardware
Layoffs
Media & Entertainment
Meta
Microsoft
privateness
Robotics
protection
Social
Space
startup
TikTok
Transportation
speculation
More from TechCrunch
Events
Startup Battlefield
StrictlyVC
Podcasts
Videos
Partner Content
TechCrunch Brand Studio
Crunchboard
touch Us
A cyberattack on the U.K. Electoral Commission that leave in the data breach of voter registry record on 40 million masses was altogether preventable had the organization used canonical security department measure , grant to the finding from a damning account by the U.K. ’s data aegis watchdog write this week .
The reportpublished by the U.K. ’s Information Commissioner ’s Officeon Monday blamed the Electoral Commission , which conserve copies of the U.K. register of citizens eligible to vote in election , for a serial of security failings that direct to the mass theft of voter information beginning August 2021 .
The Electoral Commission did not discover the compromise of its system of rules until more than a year later in October 2022 and take until August 2023 topublicly disclosethe year - long data breach .
The Commission said at the prison term of public disclosure that the hacker bring out into waiter containing its email and stole , among other thing , copies of the U.K. electoral registers . Those registers stash away information on voters who record between 2014 and 2022 , and include name , postal addresses , speech sound numbers and nonpublic voter information .
The U.K. governmentlater assign the invasion to China , withsenior officials warningthat the stolen information could be used for “ large - scale espionage and transnational repression of perceived dissidents and critics in the U.K. ” China denied engagement in the breach .
The ICO issued its formal rebuke of the Electoral Commission on Monday for violating U.K. data protection laws , adding : “ If the Electoral Commission had carry basic steps to protect its systems , such as effective security measure patching and password direction , it is highly probable that this data point rift would not have happened . ”
For its part , the Electoral Commission conceded ina abbreviated statementfollowing the story ’s publication that “ sufficient protections were not in spot to prevent the cyber - attack on the Commission . ”
Join us at TechCrunch Sessions: AI
Exhibit at TechCrunch Sessions: AI
Until the ICO ’s write up , it was n’t decipherable precisely what head to the compromise of ten of one thousand thousand of U.K. elector ’ information — or what could have been done otherwise .
Now we have it off that the ICO specifically blamed the Commission for not patching “ known software exposure ” in its email waiter , which was the initial dot of intrusion for the hacker who made off with reams of voter data . The report also confirms a item as account by TechCrunch in 2023 that the Commission ’s emailwas a ego - hosted Microsoft Exchange server .
In its theme , the ICO confirmed that at least two group of malicious hackers break into the Commission ’s ego - hosted Exchange host during 2021 and 2022 using a chain of three vulnerabilitiescollectively bear on to as ProxyShell , which allowed the hacker to break in , take control , and implant malicious code on the server .
Microsoft released patches for ProxyShell several months earlier in April and May 2021 , but the Commission had not instal them .
By August 2021 , U.S. cybersecurity agency CISAbegan sounding the alarmthat malicious hackers were actively tap ProxyShell , at which gunpoint any system that had an effective security measures patching process in place had already rolled out fixes months ago and were already protected . The Electoral Commission was not one of those organizations .
“ The Electoral Commission did not have an appropriate patch up regime in piazza at the meter of the incident , ” learn the ICO ’s reputation . “ This failing is a basic touchstone . ”
Among the other notable security system issues see during the ICO ’s probe , the Electoral Commission allow passwords that were “ extremely susceptible ” to have been guessed , and that the Commission confirmed it was “ cognisant ” that parts of its infrastructure were out of date .
ICO deputy commissioner Stephen Bonner say in a assertion on the ICO ’s report and reprimand : “ If the Electoral Commission had fill basic steps to protect its systems , such as effectual security patching and password direction , it is highly likely that this data point severance would not have happened . ”
Why didn’t the ICO fine the Electoral Commission?
An entirely preventable cyberattack that disclose the personal data of 40 million U.K. elector might sound like a serious enough severance for the Electoral Commission to be penalized with a amercement , not just a reproof . Yet , the ICO has only issued a public fertilization - down for the quaggy security .
Public sector bodies have faced penalty for break data protection rules in the past . But inJune 2022under the prior buttoned-down government , the ICO announced it would trial a revised approach to enforcement on public bodies .
The governor said the policy modification meant public authorities would be improbable to see enceinte fine levy for breaches for the next two years , even as the ICO intimate incidents would still be thoroughly enquire . But the sector was told to expect increased usance of reprimands and other enforcement powers , rather than fines .
In anopen letterexplaining the move at the time , information commissioner John Edwards wrote : “ I am not convinced large fines on their own are as good a impediment within the public sector . They do not touch shareholders or individual managing director in the same way as they do in the secret sector but come at once from the budget for the supply of service . The encroachment of a public sector fine is also often visited upon the victims of the rift , in the form of subjugate budgets for life-sustaining service , not the perpetrators . In consequence , people affected by a breach get punished twice . ”
At a glance , it might look like the Electoral Commission had the dependable fortune to discover its falling out within the ICO ’s two - year test of a softer approach to sectoral enforcement .
In concert with the ICO saying it would screen fewer sanctions for public sector data breaches , Edwards said the governor would adopt a more proactive work flow of outreach to senior leaders at public authorities to seek to raise standards and drive data protection compliance across government soundbox through a harm - prevention approach .
However , when Edwards break the plan to test combining piano enforcement with proactive outreach , he concede it would involve try at both ends , write : “ [ W]e can not do this on our own . There must be accountability to deliver these improvements on all sides . ”
The Electoral Commission rupture might therefore stir full questions over the success of the ICO ’s trial , including whether public sphere confidence have held up their side of a bargain that was supposed to rationalise the softer enforcement .
surely it does not appear that the Electoral Commission was adequately proactive in assess severance risks in the former months of the ICO trial — that is , before it discovered the intrusion in October 2022 . The ICO ’s reprimand nickname the Commission ’s nonstarter to patch known computer software fault as a “ canonic meter , ” for example , sound like the definition of an evitable data breach the regulator had say it want its public sphere insurance chemise to purge .
In this instance , however , the ICO claims it did not utilise the softer public sector enforcement insurance in this slip .
“ The Electoral Commission has now get hold of the necessary footfall we would expect to improve its surety in the aftermath , including implement a plan to modernise their infrastructure , as well as password insurance controller and multi - factor authentication for all users , ” the spokesperson added .
As the regulator separate it , no fine was issued because no data was misuse , or rather , the ICO did n’t retrieve any grounds of misuse . only unwrap the information of 40 million elector did not come across the ICO ’s bar .
One might question how much of the governor ’s probe was focused on fancy out how voter entropy might have been pervert ?
Returning to the ICO ’s public sector enforcement trial inlate June , as the experimentation approached the two - year mark , the governor issued a statement saying it would reexamine the policy before making a decision on the future tense of its sectoral approach in the drop .
Whether the insurance policy sticks or there ’s a work shift to few reprimands and more fines for public sphere information breaches remains to be seen . Regardless , the Electoral Commission breach compositor’s case show the ICO is reluctant to approve the public sector — unless exposing people ’s data can be link to demonstrable harm .
It ’s not clear how a regulatory overture that ’s lax on determent by excogitation will facilitate force back up data protection criterion across government .
